The Cybersecurity Canon is official, and you can now see our website here. We modeled it after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have 20 books on the initial candidate list but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Executive Summary

I recommend this book for cybersecurity historians and cyber warfare lawyers. It is a bit disorganized and much broader in scope then the title implies. I valued the sections on the importance open source cyber intelligence, the legal issues involved to conduct cyber warfare operations and the detailed discussion around Russia’s attacks on Estonia, Georgia and Kyrgyzstan. The details around North Korea’s attacks on South Korea and the US are also very good. But, if you are looking to understand the idea of cyber war more thoroughly, this is not the book for you.

Introduction

Out of the three books I have read on Cyber Warfare – Clarke and Knake’s, Andress and Winterfeld’s, and now Carr’s – Inside Cyber Warfare is by far the weakest of the lot. Do not get me wrong, there is some good stuff in here, but the book often feels like a committee wrote it. Carr’s name is on the title but he has adroitly pulled in some deep thinkers to write some of the chapters for him.

This is not a bad approach, but these kinds of books often are a hodgepodge of writing styles and ideas. I have been involved in a lot of these writing projects in my own career – some successes but many spectacular failures – and in order for it to work, the primary editor has to work hard to tell a coherent story. In my opinion, Carr falls short in that goal.

The Story

The book title is misleading. It says it is about Cyber War but Carr covers way more than the Cyber Warfare topic. In the preface, Carr says that,

I fundamentally disagree with this notion. Hacktivism is not warfare. Crime is not warfare. Espionage is not warfare. Terrorism is not warfare. These are all very different things and require nuanced and apportioned thinking to deal with them.

Carr points out that it is likely that a couple of governments have coopted some of their local hackers involved in cybercrime and cyber hactivism to participate in cyber warfare (Russia) and cyber espionage (China) activities. He also observes that the tools used by these actors in all four activities are similar in nature. But then he implies that because both of those things are likely to be true, then that ties all four motivations (cybercrime, cybersecurity, cyber terrorism and cyber espionage) into a tangled Gordian knot. I do not think this is true. Cybercrime is enmeshed with cyber war in the same way that other kinds of violent crime are enmeshed with “regular” war because both activities use guns. It is just not that entangled. Or if it is, Carr does not make the case for it.

He does make a good case for the power of Open Source Cyber Intelligence — a subject that is near and dear to my heart (I was the iDefense Intelligence Director for many years and later the GM. Open Source Intelligence is what we did). Carr has a nice overview of Russia’s Cyber Warfare Capabilities. Sklerov’s chapter on the legalities of warfare and cyber warfare are probably worth the price of admission alone although it’s worth noting that you can just download his thesis and read it for yourself. His discussion of the two key legal principals of war,

“Jus ad bellum: governs the transition from peace to war”“Jus in bello: governs the use of force during war”

When you look at that list, what jumps out at me is that the US, Russia and Israel are all over it. China normally gets all of the headlines because of that country’s cyber espionage activities and Carr highlights those in the book too. But there is a good reason he spends so much time on Russia’s capabilities in this book. Russia has been active in the cyber warfare space since at least 2007. But the US operation called Olympic Games (Stuxnet) is the first use of cyber weapons that could actually meet a decent definition of cyber warfare.

The Tech

What exactly is cyber war? The security community has been debating this topic for over a decade and nobody can agree. The three books I have read so far on the subject have wide ranging definitions. In the Winterfeld/Andress book, the authors review many of the published definitions but throw their hands up in frustration and refuse to define it themselves. Carr defines it as this:

“Cyber Warfare is the art and science of fighting without fighting; of defeating an opponent without spilling their blood.”

I do not like this one. This implies that anybody can conduct war: hacktivists, commercial entities, non-state actors. Those guys can do damage for sure, but what they are doing is not warfare. I think Carr’s definition is too broad.

“[T]he term “cyber war” … refers to actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”

I think this is pretty close for two reasons. First, Clarke insists that nation states pursue cyber war activities and nobody else. This is important when countries deal with the legal authorities required to conduct such operations. I am pretty sure that the cyber criminals, hacktivists and terrorists of the world are not running their plans through their legal department before they execute them. But a nation state must if it wants to interact on the global stage.

In David Sanger’s book Confront and Conceal: Obama’s Secret Wars and Surprising Use of Military Power, Sanger describes President George W. Bush’s decision to move Operation Olympic Games (Stuxnet) away from military channels and into intelligence channels. President Bush made that decision because he did not have the authority to use military forces against a nation that the US was not officially at war with. But, he did have the authority through the intelligence arm in the same way he has the authority to conduct drone strikes in foreign lands.

Second, Clarke says that cyber war activities must cause some sort of physical damage. I think that is dead-on because it separates propaganda activities (web defacements), espionage activities (document exfiltration) and criminal activities (credit card number theft) out of the warfare category. The only weakness in Clarke’s definition is that it says nothing about why a nation state would want to do such a thing.

I would tweak it a bit to say this:

Cyber Warfare involves one or more nation states using cyber weapons to destroy each other’s national treasure to achieve some political purpose.

“[…] war is simply the continuation of policy by other means.”

That is true for cyber war also. But as Winterfeld and Andress would likely point out, there are probably many issues with my definition too. I do think that Carr’s definition is too broad and because of this, his book is much broader than the topic of cyber warfare. There are things that I did like though and the book is worth the read for them. As long as the reader understands where Carr is coming from, there are things to learn here.

Conclusion

Carr’s book is worth the read although it is a bit disorganized and much broader in scope then the title implies. I valued the sections on the importance of open source cyber intelligence, the legal issues involved to conduct cyber warfare operations and the detailed discussion around Russia’s attacks on Estonia, Georgia and Kyrgyzstan. The details around North Korea’s attacks on South Korea and US are also very good. It is a must-read for cybersecurity historians and I would recommend it to cybersecurity lawyers for Sklerov’s legal chapters. But, if you are looking to understand the idea of cyber war more thoroughly, this is not the book for you.